The SMTP address and the HELO name are very similar in their trust characteristics. Both of them can be manipulated maliciously, but both can be verified with similar techniques: Using a DNS lookup to associate the name assertion with the Source IP. (We all know that the Source IP can be manipulated with a NAT device sitting outside a network perimeter, but we ignore that possibility. If it is happening, there are worse things than email verification occurring.)
We do know that Reverse DNS is often outside the control of the mail domain, so it is actually a less reliable indicator of domain ownership than Helo. Overall, the SPF design seems very intuitive and defensible. I think it is unrealistic to expect rapid implementation of DKIM signatures on null-address messages, and HELO is a good substitute. Nor does it seem necessary. I see no problem using HELO in my DMARC evaluations when the SMTP address is null. My data, cited previously, indicates that HELO can be useful for both blacklisting and whitelisting. It should not be ignored. Doug Foster . On Sat, Jan 30, 2021 at 7:44 PM Douglas Foster < dougfoster.emailstanda...@gmail.com> wrote: > Anything can be gamed if it is trusted without verification. But > verifiable data is hard to game. If you ensure that Helo can be forward > confirmed before considering it trusted, how is it risky? > > > On Sat, Jan 30, 2021, 5:45 PM Michael Thomas <m...@mtcc.com> wrote: > >> >> On 1/30/21 2:09 PM, John R Levine wrote: >> > On Sat, 30 Jan 2021, Jim Fenton wrote: >> >>> Part of the problem here is that DMARC generally sits on top of an >> >>> SPF library which doesn't tell you how it got its result. My DMARC >> >>> code just calls the SPF library and uses the result. I suppose I >> >>> could put in a hack to say don't use the SPF result if the MAIL FROM >> >>> is null, but I don't think that's what 7489 says. >> >> >> >> Are changes to 7489 off the table here? I didn’t know. >> > >> > They are certainly possible, but I would want a good reason. At this >> > point, SPF using HELO seems harmless so I don't see a reason to >> > disallow it. >> > >> > >> From a security standpoint, I wonder why you would want to allow >> something you know can be gamed. But that is probably more a question >> for SPF itself. >> >> Mike >> >> _______________________________________________ >> dmarc mailing list >> dmarc@ietf.org >> https://www.ietf.org/mailman/listinfo/dmarc >> >
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
